[Zope-Checkins] SVN: Zope/branches/2.12/ - LP #143403: Prevent accidental acquisition of objectValues during

Jens Vagelpohl jens at dataflake.org
Wed Jun 16 11:20:31 EDT 2010 

Log message for revision 113560:
  - LP #143403: Prevent accidental acquisition of objectValues during
    recursive ownership changes when the changed object has no
    objectValues method.
  

Changed:
  U   Zope/branches/2.12/doc/CHANGES.rst
  U   Zope/branches/2.12/src/AccessControl/Owned.py
  U   Zope/branches/2.12/src/AccessControl/tests/testOwned.py

-=-
Modified: Zope/branches/2.12/doc/CHANGES.rst
===================================================================
--- Zope/branches/2.12/doc/CHANGES.rst	2010-06-16 15:19:21 UTC (rev 113559)
+++ Zope/branches/2.12/doc/CHANGES.rst	2010-06-16 15:20:30 UTC (rev 113560)
@@ -11,6 +11,10 @@
 Bugs Fixed
 ++++++++++
 
+- LP #143403: Prevent accidental acquisition of objectValues during
+  recursive ownership changes when the changed object has no 
+  objectValues method.
+
 - LP #374818: Use module-provided functions as opposed to the old 
   "folder methods" when creating folders and user folders in 
   ZopeTestCase.

Modified: Zope/branches/2.12/src/AccessControl/Owned.py
===================================================================
--- Zope/branches/2.12/src/AccessControl/Owned.py	2010-06-16 15:19:21 UTC (rev 113559)
+++ Zope/branches/2.12/src/AccessControl/Owned.py	2010-06-16 15:20:30 UTC (rev 113560)
@@ -167,7 +167,8 @@
                 return
 
         if recursive:
-            for child in self.objectValues():
+            children = getattr( aq_base(self), 'objectValues', lambda :() )()
+            for child in children:
                 child.changeOwnership(user, 1)
 
         if old is not UnownableOwner:

Modified: Zope/branches/2.12/src/AccessControl/tests/testOwned.py
===================================================================
--- Zope/branches/2.12/src/AccessControl/tests/testOwned.py	2010-06-16 15:19:21 UTC (rev 113559)
+++ Zope/branches/2.12/src/AccessControl/tests/testOwned.py	2010-06-16 15:20:30 UTC (rev 113560)
@@ -258,7 +258,25 @@
                          , (['acl_users'], 'user2')
                          )
 
+    def test_changeOwnership_recursive_objectValues_acquisition(self):
+        # See https://bugs.launchpad.net/bugs/143403
+        from AccessControl.Owned import Owned
+        class FauxContent(Implicit, Owned):
+            pass
+        previous_parent_owner = self.root.parent._owner
+        previous_child_owner = self.root.parent.child._owner
+        previous_grandchild_owner = self.root.parent.child.grandchild._owner
+        newuser = self.uf.getUser('user2').__of__(self.uf)
+        self.root.parent.bad = FauxContent()
 
+        self.root.parent.bad.changeOwnership(newuser, recursive=True)
+        self.assertEquals(self.root.parent._owner, previous_parent_owner)
+        self.assertEquals(self.root.parent.child._owner, previous_child_owner)
+        self.assertEquals( self.root.parent.child.grandchild._owner
+                         , previous_grandchild_owner
+                         )
+
+
 def test_suite():
     return unittest.TestSuite((
         unittest.makeSuite(OwnedTests),

More information about the Zope-Checkins mailing list